PLXsert Eyes Spike in SNMP Reflection DDoS Attacks

Akamai's Prolexic Security Engineering Response Team (PLXsert) has seen a significant resurgence in the use of Simple Network Management Protocol (SNMP) reflection attacks this past month.

In an advisory, PLXsert said these DDoS attacks abuse the SNMP protocol, which is commonly supported by network devices such as printers, switches, firewalls and routers.

The advisory notes that many network devices use SNMP to store such data as IP addresses on a router or the type of toner used in a printer. Further, older devices (those manufactured approximately three or more years ago) used SNMP version 2 and were commonly delivered with the SNMP protocol openly accessible to the public by default.

"Through the use of GetBulk requests against SNMP v2, malicious actors can cause a large number of networked devices to send their stored data all at once to a target in an attempt to overwhelm the resources of the target," the advisory said. "This kind of DDoS attack, called a distributed reflection and amplification (DrDoS) attack, allows attackers to use a relatively small amount of their own resources to create a massive amount of malicious traffic."

More from the advisory:

Attackers appear to be using a malicious tool to automate their GetBulk requests, possibly using multiple threads. First, an attacker would need to scan the Internet for hosts that are listening on port 161 and using a community string of public. The tool or a paid DDoS service may provide lists of such devices. The list of IP addresses would be placed in a text file, which is input into the attack tool.

Using the IP address of the attacker's target as a spoofed source from which the requests will appear to originate, the attacker generates snmpbulkget requests to the list of reflectors. These actions lead to a flood of SNMP GetResponse data sent from the reflectors to the target. The target will see this inflow of data as coming from the victim devices queried by the attacker. The IP address of the actual attack source will be hidden.

"The use of specific types of protocol reflection attacks such as SNMP surge from time to time," Stuart Scholly, senior vice president and general manager of Akamai's Security Business Unit, said in a statement. "Newly available SNMP reflection tools have fueled these attacks."

We're Social

Akamai secures and delivers digital experiences for the world’s largest companies. Akamai’s intelligent edge platform surrounds everything, from the enterprise to the cloud, so customers and their businesses can be fast, smart, and secure. Top brands globally rely on Akamai to help them realize competitive advantage through agile solutions that extend the power of their multi-cloud architectures. Akamai keeps decisions, apps, and experiences closer to users than anyone — and attacks and threats far away. Akamai’s portfolio of edge security, web and mobile performance, enterprise access, and video delivery solutions is supported by unmatched customer service, analytics, and 24/7/365 monitoring. To learn why the world’s top brands trust Akamai, visit www.akamai.com, blogs.akamai.com, or @Akamai on Twitter. You can find our global contact information at www.akamai.com/locations.